What is the purpose of LDAP groups to Keystone?

For keystone I understand the purpose of users, tenants, and roles, but when I use LDAP as a backend, what is the purpose of the LDAP groups? Are they supposed to replace tenants or roles or instead can I use the groups to assign roles to? For example, assign the Admin role to everyone in a certain group? (If so, I'd like to know how to do this with the CLI tool since the option is either missing or non-obvious).

2 answers

Groups can be used like groups in other applications. You can assign groups to projects instead of users. That way you aren't assigning a new user to a group every time you have to create one, instead you are assigning a group to a project then adding the user to the group in your user directory.

Groups can be managed through Horizon if you turn on the v3 API in keystone and point to the v3 API in Horizon. This will give you access to groups/users/roles/domains/projects. You could also use the keystone CLI if it's setup for v3 and your endpoint is v3.

We use LDAP groups at CERN to assign sets of people to roles. Since there are many IT applications and filesystems which need controlling and securing, a single place to manage people's responsibilities is a necessity.

Thus, someone who is part of our hardware maintenance team is part of a group. This group is given a role in OpenStack which allows them to open the console of virtual machines, suspend/resume, etc. The members of this group are also given some sudo rights on the hypervisors which is set by Puppet from the same LDAP source.

Thus, we manage membership of a group in LDAP and use Keystone to define the role associated with that group of users.